Federal Banking Agencies Have Issued Proposed Rules Which Deal with the Privacy of Consumer Financial Information. The Question is, Do the Proposed Rules Go Too Far or Not Far Enough?

CRE is Requesting Comments from the Public to Ensure that Federal Banking Regulatory Agencies, in Issuing the Final Rules, Comply With Statutory Authorities that Protect the Consumer's Right to Privacy But Not at an Excessive Cost.

Four agencies - Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and Office of Thrift Supervision - have joined together in issuing a proposed rule to implement the Gramm-Leach-Bliley Act ("G-L-B Act"). The proposed rule is designed to implement the notice requirements and disclosure restrictions in the Act.

This proposed rule represents perhaps the first time that an information privacy regulation affecting the entire American public has been offered for debate through the public comment process. The precedents set by this regulation will have ramifications for many other industries (e.g., healthcare, media, retail) as information privacy concerns become the targets of legislation, regulation and litigation.

The purpose of the regulation is to delineate what financial institutions must do to comply with the new law. The new requirements would include the following:

A financial institution would have to provide notice to a "consumer" about the institution's privacy policies before releasing "nonpublic personal information" about the consumer to an unaffiliated third party. A "consumer" is any person the financial institution has dealings with, even if the person is not a "customer." An example of a "consumer" who is not a "customer" is a person who uses the financial institution's ATM machine (even though that person does not have an account at the institution).

A financial institution would have to provide notice to a "customer" of the institution's privacy policies at the time the customer relationship is established.

The financial institution would have to provide both customers and consumers with the opportunity to "opt out" of having their nonpublic personal information released to institutions not affiliated with the releasing institution.

The rules would only apply to information pertaining to individuals who obtain a financial product or service from the institution to be used for personal, family, or household purposes.

The following are the key questions being raised for public comment.

What kinds of publicly available information should be excluded from the new requirements? Under "Alternative A," information would be deemed public (and thus not subject to the new requirements) if it is actually obtained from public sources (e.g., media, government records). Under "Alternative B," it would suffice if the information were obtainable from public sources (i.e., even if in actuality the information was obtained from another financial institution).

Should nonidentifiable personal information (i.e., information with no indicators of the individual's identity) be subject to, or excluded from, the proposed rule.

How should the notice of the pending disclosure and attendant right to "opt out" (i.e., to prevent the disclosure) be provided? Is electronic transmission enough under certain circumstances?

How much advance notice should the individual who is the subject of the data have to "opt out"? What must the individual do to "opt out"?

What categories of nonpublic personal information should a financial institution be allowed to collect for eventual disclosure?

The proposed regulation leads to an additional fundamental policy issue which is; should the statutory exemption that allows private consumer information to be shared by bank affiliates, such as brokerages and insurance companies, be revisited, or, in the alternative, should the regulation require banks give customers the right to keep all information private?